소스 검색

qdevice-net-certutil: Add option for key size

This patch adds the -g option, which specifies the key size to
use when generating new public and private key pairs. This option
is passed directly to certutil.

Support for loading the sysconfig file
(/etc/sysconfig/corosync-qdevice) is also added. The
COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE variable can now be set in the
sysconfig file, which is equivalent to the -g option.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Jan Friesse 3 주 전
부모
커밋
58f094ae53
4개의 변경된 파일48개의 추가작업 그리고 8개의 파일을 삭제
  1. 6 1
      init/corosync-qdevice.sysconfig.example
  2. 14 3
      man/corosync-qdevice-net-certutil.8
  3. 1 0
      qdevices/Makefile.am
  4. 27 4
      qdevices/corosync-qdevice-net-certutil.sh

+ 6 - 1
init/corosync-qdevice.sysconfig.example

@@ -1,6 +1,11 @@
-# Corosync Qdevice daemon init script configuration file
+# Configuration file for the Corosync Qdevice daemon init script,
+# systemd unit and corosync-qdevice-net-certutil tool.
 
 # COROSYNC_QDEVICE_OPTIONS specifies options passed to corosync-qdevice command
 # (default is no options).
 # See "man corosync-qdevice" for detailed descriptions of the options.
 COROSYNC_QDEVICE_OPTIONS=""
+
+# COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE specifies the key size to use when generating
+# new public and private key pairs. This is equivalent to the -g option.
+#COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE=""

+ 14 - 3
man/corosync-qdevice-net-certutil.8

@@ -1,5 +1,5 @@
 .\"/*
-.\" * Copyright (C) 2016 Red Hat, Inc.
+.\" * Copyright (C) 2016-2026 Red Hat, Inc.
 .\" *
 .\" * All rights reserved.
 .\" *
@@ -31,11 +31,11 @@
 .\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
 .\" * THE POSSIBILITY OF SUCH DAMAGE.
 .\" */
-.TH COROSYNC-QDEVICE-NET-CERTUTIL 8 2016-06-28
+.TH COROSYNC-QDEVICE-NET-CERTUTIL 8 2026-06-11
 .SH NAME
 corosync-qdevice-net-certutil - tool to generate qdevice model net TLS certificates
 .SH SYNOPSIS
-.B "corosync-qdevice-net-certutil [-i|-m|-M|-r|-s|-Q] [-c certificate] [-S ssh_command] [-C scp_command] [-n cluster_name]"
+.B "corosync-qdevice-net-certutil [-i|-m|-M|-r|-s|-Q] [-c certificate] [-g keysize] [-S ssh_command] [-C scp_command] [-n cluster_name]"
 .SH DESCRIPTION
 .B corosync-qdevice-net-certutil
 is a frontend for NSS certutil used for generating client certificate for the net model of
@@ -75,6 +75,16 @@ or ssh/scp will keep asking for a password - roughly 8 times the number of nodes
 .B -c
 File with certificate to load.
 .TP
+.B -g
+Specify the key size to use when generating new public and private key pairs.
+This option is passed directly to the
+.B certutil
+command. By default, this is left empty, meaning
+.B -g
+is not passed to
+.B certutil
+at all.
+.TP
 .B -S
 Alternative remote shell command to be use in place of ssh. If not specified, ssh is used.
 .TP
@@ -86,6 +96,7 @@ Name of the cluster.
 .SH SEE ALSO
 .BR corosync-qnetd (8)
 .BR corosync-qdevice (8)
+.BR certutil(1)
 .SH AUTHOR
 Jan Friesse
 .PP

+ 1 - 0
qdevices/Makefile.am

@@ -164,6 +164,7 @@ corosync-qdevice-net-certutil: corosync-qdevice-net-certutil.sh
 	sed -e 's#@''DATADIR@#${datadir}#g' \
 	    -e 's#@''BASHPATH@#${BASHPATH}#g' \
 	    -e 's#@''COROSYSCONFDIR@#${COROSYSCONFDIR}#g' \
+	    -e 's#@''INITCONFIGDIR@#${INITCONFIGDIR}#g' \
 	    $< > $@
 
 TESTS				= qnetd-cluster-list.test dynar.test dynar-simple-lex.test \

+ 27 - 4
qdevices/corosync-qdevice-net-certutil.sh

@@ -1,7 +1,7 @@
 #!@BASHPATH@
 
 #
-# Copyright (c) 2015-2018 Red Hat, Inc.
+# Copyright (c) 2015-2026 Red Hat, Inc.
 #
 # All rights reserved.
 #
@@ -52,7 +52,7 @@ REMOTE_SHELL_EXECUTABLE="ssh"
 REMOTE_COPY_EXECUTABLE="scp"
 
 usage() {
-    echo "$0: [-i|-m|-M|-r|-s|-Q] [-c certificate] [-S ssh_command] [-C scp_command] [-n cluster_name]"
+    echo "$0: [-i|-m|-M|-r|-s|-Q] [-c certificate] [-g keysize] [-S ssh_command] [-C scp_command] [-n cluster_name]"
     echo
     echo " -i      Initialize node CA. Needs CA certificate from server"
     echo " -m      Import cluster certificate on node (needs pk12 certificate)"
@@ -61,6 +61,7 @@ usage() {
     echo " -Q      Quick start. Uses ssh/scp to initialze both qnetd and nodes."
     echo ""
     echo " -c certificate      Ether CA, CRQ, CRT or pk12 certificate (operation dependant)"
+    echo " -g keysize          Key size in bits - passed directly to certutil as -g parameter"
     echo " -S ssh_command      Alternative remote shell command to be use in place of ssh. If not specified, ssh is used."
     echo " -C scp_command      Alternative remote copy command to be use in place of scp. If not specified, scp is used."
     echo " -n cluster_name     Name of cluster (for -r and -s operations)"
@@ -85,6 +86,16 @@ usage() {
     exit 0
 }
 
+get_certutil_key_params() {
+    CERTUTIL_PARAMS=""
+
+    if [ ! -z "$COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE" ];then
+        CERTUTIL_PARAMS="$CERTUTIL_PARAMS -g $COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE"
+    fi
+
+    echo "$CERTUTIL_PARAMS"
+}
+
 create_new_noise_file() {
     local noise_file="$1"
 
@@ -178,7 +189,8 @@ gen_cluster_cert_req() {
 
     echo "Creating new certificate request"
 
-    certutil -R -s "CN=$CLUSTER_NAME" -o "$CRQ_FILE" -d "$DB_DIR" -f "$PWD_FILE" -z "$NOISE_FILE"
+    certutil -R -s "CN=$CLUSTER_NAME" -o "$CRQ_FILE" -d "$DB_DIR" -f "$PWD_FILE" -z "$NOISE_FILE" \
+        $(get_certutil_key_params)
 
     echo "Certificate request stored in $CRQ_FILE"
 }
@@ -276,11 +288,19 @@ quick_start() {
     done
 }
 
+# Initialize options that may be overwritten by the configuration file
+COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE=""
+
+# Import configuration file if it exists
+if [ -f "@INITCONFIGDIR@/corosync-qdevice" ];then
+    . "@INITCONFIGDIR@/corosync-qdevice"
+fi
+
 OPERATION=""
 CERTIFICATE_FILE=""
 CLUSTER_NAME=""
 
-while getopts ":hiMmQrc:S:C:n:" opt; do
+while getopts ":hiMmQrc:g:S:C:n:" opt; do
     case $opt in
         r)
             OPERATION=gen_cluster_cert_req
@@ -312,6 +332,9 @@ while getopts ":hiMmQrc:S:C:n:" opt; do
         c)
             CERTIFICATE_FILE="$OPTARG"
             ;;
+        g)
+            COROSYNC_QDEVICE_NET_CERTUTIL_KEY_SIZE="$OPTARG"
+            ;;
         \?)
             echo "Invalid option: -$OPTARG" >&2